The next president will have an opportunity to elevate the status of cyber issues in U.S. Asia policy.
When Donald Trump takes office on January 20, 2017, he will be expected to take responsibility for responding to a wide array of global issues. Many of his most significant decisions will be centered in Asia, as recognized by the Obama administration’s policy of “rebalancing to Asia.” But while the United States has thus far sought to emphasize security interests via a bolstered military presence and business interests through a potential trans-Pacific trade deal, one crosscutting matter of both strategic and economic significance has received less attention than it deserves: cybersecurity. Collaboration among both states and non-state actors is essential to shoring up the gaps in existing cybersecurity defenses in and toward Asia, and the next administration must be at the forefront of this effort.
The significance of Asian cyber risk is rooted in technology’s role in fueling and shaping Asia’s rise, a development that serves as a foundation for the region’s importance to the United States. The benefits of technology to Asia are readily apparent; the rapid evolution of China’s economy has seen local technology businesses rising and, in some cases, leaping ahead of their Western counterparts — from Alibaba and Didi Kuaidi to Tencent and Baidu.
Just as Asia has become the most dynamic venue for global economic activity, it has also become the locus of cyber risk. For example, according to the World Economic Forum’s Global Risks Report, cybersecurity is the third most cited risk to doing business in the region overall. A recent study by U.S. security company Mandiant argues that Asian companies have the world’s worst cybersecurity, and an estimate by accounting firm Grant Thornton placed the cost of cyber attacks to private businesses in Asia at $81 billion in 2015, $20 billion more than both North America and the European Union.
Cyber risks are particularly significant in the advanced economies of South Korea, Australia, New Zealand, Japan, and Singapore, all U.S. allies or partners, and home to particularly vital U.S. business interests. Dubbed the “Cyber Five,” these countries are Asia’s most heavily reliant on internet-based interactions, a dependence that has made them nine times more vulnerable to cyber attack than the other 13 Asian economies for which data are available. Japan, the United States’ principal regional ally, has been described as uniquely unprepared for the cyber challenges of the 21st century, ranging from attacks by foreign quasi-state actors to theft by domestic criminals. As noted by Jeff Kingston of Temple University’s Japan Campus, “It doesn’t get any more embarrassing than the discovery that the Wi-Fi network at the lodging for reporters covering the G-7 Ise-Shima summit was tampered with and can infect users’ computers with a virus that has been traced back to Russia.”
But perhaps the most significant reason for prioritizing an Asian cybersecurity “rebalance” is that which is most felt at home: the cyber threat from China. In particular, three issues have come to dominate U.S.-China cybersecurity concerns: China’s intrusions into corporate networks to steal intellectual property and proprietary business information; its growing penetration of U.S. systems through cyberspace for traditional espionage purposes; and the prospect that it might be prepared to use a cyber attack to take down critical infrastructure during a crisis. In recognition of these concerns, the United States and China made a number of agreements on cybersecurity, cyber espionage and cyber crime in September 2015. However, while these are solid first steps, the U.S.-China cyber dialogue has yet to be formalized, routinized, and effectively insulated from political point scoring. Should outlying concerns remain unresolved, it is not hard to imagine cyber issues becoming intertwined with a crisis that spirals out of control. For example, cyber attacks could cause an incident in the South China Sea to escalate rapidly.
Together, then, the significant cyber threats to business interests in Asia, the cyber weakness of United States’ vital Asian partners and allies, and the cyber challenge of a rising China demand a comprehensive prioritization of Asian cyber risk by the next U.S. president. Unfortunately, Asia’s relatively weak institutions for international security cooperation do not bode well for effective governmental agreements on cybersecurity at an inclusive, region-wide level. This fact requires that efforts be advanced to develop norms for responsible state behavior in cyberspace between the United States and China. As part of this effort, the United States should prioritize engaging China to establish clearer understandings of state responsibilities in cybersecurity and further development of cooperative measures. While significant disagreements remain, the next administration can encourage progress by delinking cyber cooperation from other matters, especially traditional security, aiming to use this important matter as a foundation for stability in a dynamic relationship — especially given the significant commercial interests inherent to both Chinese and U.S. companies and government-related security priorities in the region.
While prioritized bilateral cyber discussions with China are essential, the United States also needs to work closely with its regional partners. China’s growing assertiveness both inside and outside the realm of cybersecurity creates a powerful incentive for cooperation and collective action. Toward this goal, currently efforts toward cybersecurity cooperation with allies, including Australia, Japan, and Korea, should be strengthened across all levels of U.S. government engagement and extended to other regional partners, with a particular emphasis on expanding this cooperation multilaterally.
Finally, the United States should seek to improve regional cybersecurity more broadly by encouraging all Asian states to take measures that can support cybersecurity best practices — including tightening personal data protection guidelines and stepping up enforcement of privacy rules. As part of this effort, the United States should also provide encouragement and facilitation to universities, research institutions, think tanks, and businesses as a foundation for expanding cooperation on critical privacy, trade, commerce, and critical infrastructure protection, and as a pathway to expanded government-to-government dialogue.
In an increasingly interconnected and interdependent world, it is in no one’s interest for cyber threats to diminish regional business prospects, or for conflict to escalate into a military clash or lead to a breakdown in trade. This is arguably even more true for Asia, as the greatest regional driver of global growth. The presidential changing of the guard represents an ideal opportunity for the United States, and the region more broadly, to elevate cybersecurity risks amidst U.S. efforts to tap regional economic opportunities. Through cooperation with other regional states — especially China and regionally influential sovereign powers — as well as a variety of significant non-state actors, the next administration has the potential to comprehensively rebalance cyber risk to the center of regional strategic and economic efforts, to the benefit of the United States as well as the regional and global community.
Taylor M. Wettach is a graduate student at Georgetown University’s School of Foreign Service and a Pacific Forum CSIS Young Leader. He was most recently a Harold W. Rosenthal Fellow in International Relations with the Japan Business Federation (Keidanren). He tweets at @twettach.